OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

OceanLotus, the Vietnam-aligned advanced persistent threat group, conducted two separate espionage campaigns targeting Vietnamese organizations using the SPECTRALVIPER backdoor between mid-2024 and February 2026.

The first campaign focused on a Vietnamese infrastructure and transport construction corporation, establishing long-term access through SPECTRALVIPER. The second involved a supply chain attack, though specific victim details remain limited in available reporting.

SPECTRALVIPER functions as a full-featured remote access backdoor, granting attackers command execution, file transfer, and system reconnaissance capabilities. OceanLotus deployed the malware through targeted phishing and likely watering hole attacks against Vietnamese investors and business entities.

OceanLotus, also tracked as APT32 and Cobalt Kitty, operates with Vietnamese government alignment and specializes in targeting Southeast Asian organizations, maritime industries, and government agencies. The group maintains sophisticated operational security and employs custom malware families to evade detection.

The infrastructure and construction sector represents a critical target for state-sponsored espionage operations. Such sectors often hold sensitive information regarding government contracts, resource management, and supply chain details valuable to intelligence services. The targeting of stock investors indicates OceanLotus also pursued financial intelligence gathering or market manipulation opportunities.

Supply chain attacks amplify threat impact by compromising vendors to access downstream customers. OceanLotus historically exploited supply chains to distribute backdoors across multiple organizations simultaneously, reducing the need for individual compromise attempts.

Organizations should implement detection for SPECTRALVIPER signatures and monitor for unusual outbound connections from compromised systems. Network segmentation limits lateral movement following initial compromise. Email filtering and user training reduce phishing effectiveness, the primary delivery mechanism for targeted backdoors.

Vietnamese entities face persistent targeting from OceanLotus and require advanced threat monitoring, incident response capabilities, and threat intelligence integration